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VIRTUAL PRIVATE NETWORK WITH MULTIPLE TUNNELS 
ASSOCIATED WITH ONE GROUP NAME 

TECHNICAL FIELD 

The present invention relates to the field of data communications, and more 
particularly to a virtual private network with multiple tunnels associated with a group of 
users where the server node in the virtual private network has a single tunnel definition 
and a single security policy for the multiple tunnels associated with the group. 

BACKGROUND INFORMATION 

Security is a significant concern in the communication between computer 
networks over apublic network, e.g. , institutional intranets and Internet. Public networks 
provide the capability for a large number of diverse users to establish communication 
links between each other. A series of servers and switching systems route packets of data 
between various users based upon addresses using communication protocols such as 
TCP/IP. Unfortunately, packets of data move between senders and recipients through 
various pathways that are unsecured, i.e. ; third parties may gain access to data sent 
between authorized senders and recipients. 

One solution to secure the transfer of data between senders and recipients over 
a public network is through a virtual private network. A virtual private network (VPN) 
is an extension of an enterprise's private intranet across a public network such as the 
Internet, creating a secure private connection, commonly referred as a "tunnel" For 
example, virtual private networks may be established between an enterprise's private 
intranet and remote users, branch offices or business partners. The secure private 
connection, i.e., tunnel, is established between sites, commonly referred to as "nodes." 
Once the tunnel is established, data may be transmitted between nodes without the risk 
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of interception by unauthorized users through the use of encryption, e.g., preshared keys, 
public keys. A preshared key is a value that is used to authenticate the nodes of a tunnel. 
That is, the same preshared key must be possessed by the two nodes in order to create a 
tunnel between the nodes. 

A virtual private network may be configured by having one node designated as 
the server node and a plurality of nodes designated as client nodes. Each client node is 
connected to the server node establishing a plurality of tunnels between the client nodes 
and the server node. A tunnel definition defines the end points of a tunnel thereby 
establishing a tunnel. A security policy describes the characteristics of protection for the 
transfer of information between the nodes defining the tunnel In prior art virtual private 
networks, VPN's create a security policy and a tunnel definition in the server node for 
each of the plurality of tunnels connected to the server node thereby resulting in a large 
number of security policies to be created and maintained for the many users of resources 
on a network. 

It would therefore be desirable to develop a virtual private network where the 
server node has one security policy and one tunnel definition associated with a plurality 
of tunnels where the plurality of tunnels are associated with a group, i.e., group of users. 
It would further be desirable to allow the users to be identified by any specified name. 
It would further be desirable to allow a non-contiguous set of ID types to be defined as 
a group. 
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SUMMARY 

The problems outlined above may at least in part be solved in some embodiments 
by configuring a group database in the server node where the group database comprises 
a group name and a list of members associated with the group name. Furthermore, a 
rules database in the server node is configured. The rules database associates the group 
name with a particular security policy. The server node then has a single security policy 
for each of the plurality of tunnels associated with the group name. Furthermore, a 
tunnel definition database in the server node is configured. In the tunnel definition 
database, the remote ID is defined as the group name. The server node then has a single 
tunnel definition for each of the plurality of tunnels associated with the group name. 

In one embodiment, a method for allowing a server node in a virtual private 
network to have a single tunnel definition and a single security policy for a plurality of 
tunnels associated with a group name comprises the step of configuring a group database 
in the server node. The group database comprises the group name and a list of members 
associated with the group name. The method further comprises configuring a rules 
database in the server node. The rules database associates the group name with a 
particular security policy. The method further comprises configuring a tunnel definition 
database in the server node. In the tunnel definition database, the remote ID is defined 
as the group name. 

In another embodiment of the present invention, the list of members associated 
with the group name comprises a non-contiguous list of ID types, e.g., Internet Key 
Exchange (IKE) defined ID types such as Internet Protocol addresses, User@ Fully 
Qualified Domain Name (FQDN), FQDN, and X.500 Distinguished Name. In another 
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embodiment of the present invention, the members associated with the group name are 
identified by any specified name. 

The foregoing has outlined rather broadly the features and technical advantages 
of the present invention in order that the detailed description of the invention that follows 
may be better understood. Additional features and advantages of the invention will be 
described hereinafter which form the subject of the claims of the invention. 
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BRIEF DESCRIPTION OF THE DRAWINGS 

A better understanding of the present invention can be obtained when the 
following detailed description is considered in conjunction with the following drawings, 
in which: 

Figure 1 illustrates an embodiment of a virtual private network; 

Figure 2 illustrates an embodiment of a node of the virtual private network; 

Figure 3 is a flowchart depicting a method for developing a virtual private 
network where the server node has one security policy and one tunnel definition for a 
plurality of tunnels associated with a group; 

Figure 4 illustrates an embodiment of establishing an ISAKMP security 
association between the server and client node establishing a particular tunnel; and 

Figure 5 illustrates an embodiment of a group database, a rules database and a 
tunnel definition database. 
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DETAILED DESCRIPTION 

The present invention comprises a virtual private network where the server node 
has a single tunnel definition and a single security policy for a plurality of tunnels 
associated with a group name. 

In one embodiment of the present invention a method comprises the step of configuring 
a group database in the server node. The group database comprises the group name and 
a list of members associated with the group name. The method further comprises 
configuring a rules database in the server node. The rules database associates the group 
name with a particular security policy. The method further comprises configuring a 
tunnel definition database in the server node. In the tunnel definition database, the 
remote ID is defined as the group name. In another embodiment of the present invention, 
the list of members associated with the group name comprises a non-contiguous list of 
ED types. In another embodiment of the present invention, the members associated with 
the group name are identified by any specified name. 

Figure 1 - Embodiment of a Virtual Private Network 

Figure 1 illustrates an embodiment of the present invention of a virtual private 
network 1 00. As stated in the Background Information section, a virtual private network 
is an extension of an enterprise's private intranet across a public network such as the 
Internet, creating a secure private connection. The secure private connection, i.e., tunnel, 
is established between sites, commonly referred to as nodes. A virtual private network 
may be configured by having one node designated as the server node and a plurality of 
nodes designated as client nodes. For example, virtual private network 100 establishes 
tunnels 120A-C between server node 1 10A and client nodes 1 10B-D. Tunnels 120A-C 
may collectively or individually be referred to as tunnels 120 or tunnel 120, respectively. 
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Nodes 1 10A-D may collectively or individually be referred to as nodes 1 10 or node 1 10, 
respectively. It is noted that virtual private network 100 may comprise any number of 
client nodes, e.g., 1 10B-D, and therefore any number of tunnels 120. It is further noted 
that virtual private network 100 may comprise any number of server nodes, e.g., 1 10A. 
It is further noted that virtual private network 100 may comprise any configuration and 
that Figure 1 is used for illustrative purposes only. 

Referring to Figure 1, tunnel 120A is established between server node 1 10A and 
client node 1 10B. Tunnel 120B is established between server node 1 10A and client node 
1 IOC. Tunnel 120C is established between server node 1 10A and client node 1 10D. 

FiRure 2 - Embodiment of a Node 

Figure 2 illustrates an embodiment of the present invention of node 1 10. It is 
noted that nodes 1 10 may exist in various embodiments and that Figure 2 is used for 
illustrative purposes only. Figure 2 illustrates a typical hardware configuration of node 
1 10 which may be representative of a hardware environment for practicing the present 
invention. Node 1 10 has a central processing unit (CPU) 210, such as a conventional 
microprocessor, coupled to various other components by system bus 212. Read only 
memory (ROM) 216 is coupled to system bus 212 and includes a basic input/output 
system ("BIOS") that controls certain basic functions of node 110. Random access 
memory (RAM) 214, I/O adapter 21 8, and communications adapter 23 4 are also coupled 
to system bus 212. RAM 214 typically provides age of information, such as executable 
processes and contents of data packets transferred through node 110. An operating 
system, portions of which are typically resident in RAM 214 or ROM 216 and executed 
by CPU 210, functionally organizes node 1 10 by, inter alia, invoking network operations 
in support of those processes executing in CPU 210. I/O adapter 218 may be a small 
computer system interface ("SCSI") adapter that communicates with disk units 220 and 
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tape drives 240. Communications adapter 234 interconnects bus 212 with an outside 
network enabling node 1 1 0 to communicate with another node 1 1 0 thereby establishing 
a tunnel in a virtual private network. Input/Output devices may also be connected to 
system bus 212 via a user interface adapter 222 and a display adapter 236. A display 
monitor 238 is connected to system bus 212 by display adapter 236. In this manner, a 
user is capable of inputting to node 1 10 through a keyboard 224 or a mouse 226 and 
receiving output from node 1 10 via display 38. 

Figure 3 - Method for Establishing Server Node With the Same Tunnel Definition and 
the Same Security Policy for Multiple Tunnels Associated With a Group 

Figure 3 illustrates a flowchart of one embodiment of the present invention of a 
method 300 for developing a virtual private network where the server node has one 
security policy and one tunnel definition associated with a plurality of tunnels where the 
plurality of tunnels are associated with a group, i.e., group of users. A plurality of 
tunnels, e.g., 120A-C, may be associated with a group of users where each user in the 
group has access to one of the plurality of tunnels 120. As stated in the Background 
Information section, prior art virtual private networks, VPN's create a security policy and 
a tunnel definition in the server node for each of the plurality of tunnels connected to the 
server node thereby resulting in a large number of security policies to be created and 
maintained for the many users of resources on a network. Method 300 creates a concept 
of a "group" where each of a plurality of tunnels 120 is associated with a member, i.e., 
user, of a group. Server node 1 10A may then have one security policy and one tunnel 
definition for each of the plurality of tunnels 120 associated with the group as will be 
described below. Furthermore, method 300 allows a non-contiguous set of ED types, e.g., 
Internet Protocol addresses, User@FQDN, FQDN, and X.500 Distinguished Name, to 
be defined as a group to be associated with a plurality of tunnels 120. A detailed 
explanation of method 300 is provided below. 
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In step 3 1 0, a group database in the server node 1 1 OA is configured so that a list 
of members, i.e., users, are associated with a particular group name. The group database 
defines a group, i.e., a group of users associated with a particular group, where each 
member of that group has access to one of a plurality of tunnels 120 associated with a 
group. In an embodiment of the present invention, the group database defines the group 
name as well as all the users associated with that particular group. For example, a group 
may have the name of "engineers jprojectl . " The group database would then have a list 
of users associated with the group, e.g., all engineers working on project 1 . 

An example of an embodiment of a group database in the server node 1 1 OA is 
provided in Figure 5. In Figure 5, group database 510 comprises a group name, the ID's 
of all the members of the particular group and the ID types of all the members of the 
particular group, e.g., Internet Key Exchange (IKE) defined ID types such as Internet 
Protocol addresses, User@FQDN, FQDN, and X.500 Distinguished Name. In another 
embodiment, the ID's of all the members of the particular group may be explicit or 
wildcarded. In another embodiment, the IDs of the members of the group may be 
specified by any name by a user. For example, the ID may be the login ID of the user on 
the system, such as "bob", so that a system administrator could easily identify who has 
access to a specific tunnel 120 by viewing the IDs in the group. In another embodiment, 
the member ID types may be a non-contiguous set of addresses associated with a group 
where each member, i.e., user, of the group has access to a particular tunnel 120. 

In one embodiment, the group database in the server node 11 OA may be 
configured by a user entering the group name, ID type of each member of the particular 
group, e.g., IKE defined ID types such as Internet Protocol addresses, User@FQDN, 
FQDN, and X.500 Distinguished Name, and the ID's of all the members of the particular 
group through a graphical user interface (GUI). In another embodiment, the group 
database in the server node 1 10A may be configured by a user entering the group name, 
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ID type of each member of the particular group, e.g., IKE defined ID types such as 
Internet Protocol addresses, User@FQDN, FQDN, and X.500 Distinguished Name, and 
the ID's of all the members of the particular group through a command line interface. In 
another embodiment, the group database in the server node 1 10A may be configured by 
a user entering the group name, ID type of each member of the particular group, e.g., IKE 
defined ID types such as Internet Protocol addresses, User@FQDN, FQDN, and X.500 
Distinguished Name, and the ID's of all the members of the particular group through 
configuration files. Typically the group database resides on disk, e.g., disk 220 of node 
110. It is noted that the members of a particular group name may be added, deleted or 
updated. It is further noted that the group database may only be defined in the server 
node 1 10A and not in the client nodes, e.g., 1 10B-D. 

In step 320, a rules database in the server node 1 1 OA is configured so that the 
particular group name is associated with a particular type of security policy defined in a 
policy database in the server node 11 OA Since the group name is associated with a 
particular type of security policy, the server node 1 10A assigns the same security policy 
for each of the plurality of tunnels associated with the group name. An example of an 
embodiment of a rules database is provided in Figure 5. In Figure 5, rules database 520 
comprises a remote ID, e.g., group name, remote ED type, e.g., group name ID type, and 
a security policy pointer which points to the particular security policy defined in the 
policy database. The remote ID and remote ID type refers to the ID and ID type of the 
nodes on the opposite end of the tunnels, e.g., client nodes, associated with a group name 
as a group. Typically, the policy database resides on disk, e.g., disk 220, of node 1 10A. 
In one embodiment, the rules database in server node 1 1 OA may be configured by a user 
entering the remote ID, e.g., group name, the remote ID type, e.g., group name ID type, 
and the security policy pointer through a graphical user interface (GUI). In another 
embodiment, the rules database in server node 11 OA may be configured by a user 
entering the remote ID, e.g., group name, the remote ID type, e.g., group name ID type, 
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and the security policy pointer through a command line interface. In another 
embodiment, the rules database in server node 11 OA may be configured by a user 
entering the remote ID, e.g., group name, the remote ID type, e.g., group name ID type, 
and the security policy pointer through configuration files. Typically the rules database 
resides on disk, e.g., disk 220, of node 11 OA. It is noted each of the client nodes, e.g., 
1 1 OB-D, has a rules database as well. The rules database may comprise a remote ID, e.g., 
VPN server, a remote ID type and a security policy pointer which points to the particular 
security policy defined in the policy database of the client node, e.g., 1 10B. It is further 
noted that the rules database in the client nodes, e.g., 11 OB-D, may be similarly 
configured as the rules database in the server node 1 10A. 

In step 330, a tunnel definition database in the server node 1 1 OA is configured so 
that the server node 1 10A has one tunnel definition for each of the plurality of tunnels 
120 associated with a group name. As stated in the Background Information section, the 
tunnel definition establishes the end points of that particular tunnel 120. An example of 
an embodiment of a tunnel definition database is provided in Figure 5. In Figure 5, 
tunnel definition database 530 in server node 1 10A comprises the local ED, the local ID 
type, the remote ID and the remote ID type. The local ID and local ID type refers to the 
ID and ID type, e.g., IKE defined ID types such as Internet Protocol addresses, 
User@FQDN, FQDN, and X.500 Distinguished Name, of the server node 110A The 
remote ID and remote ID type refers to the ID and ID type, e.g., IKE defined ID types 
such as Internet Protocol addresses, User@FQDN, FQDN, and X.500 Distinguished 
Name, of the client node, e.g., 1 10B. By defining the local ED, the local ID type, the 
remote ID and the remote ID type, a tunnel 120 is defined between the nodes 110 
associated with the local ID and remote ED. That is, the end points of a particular tunnel 
120 are established. 
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In one embodiment, the tunnel definition database in the server node 1 10A may 
be configured by a user entering the local ID, the local ED type, the remote ID and the 
remote ID type through a GUI. In another embodiment, the tunnel definition database 
in the server node 1 1 OA may be configured by a user entering the local ID, the local ID 
type, the remote ID and the remote ID type through a command line interface. In another 
embodiment, the tunnel definition database in the server node 1 10A may be configured 
by a user entering the local ID, the local ID type, the remote ID and the remote ID type 
through configuration files. Typically the tunnel definition database resides on disk, 
e.g., disk 220, of server node 1 1 OA. It is noted each of the client nodes, e.g., 1 1 OB-D, has 
a tunnel definition database as well. The tunnel definition database may comprise a local 
ED, a local ID type, a remote ID and a remote ID type. It is further noted that the tunnel 
definition database in the client nodes, e.g., 1 1 OB-D, may be similarly configured as the 
tunnel definition database in the server node 1 10A 

As stated above, a tunnel definition database in the server node 11 OA is 
configured so that the server node 1 1 OA has one tunnel definition for each of the plurality 
of tunnels 120 associated with a group name. The server node 1 lOAhas the same tunnel 
definition for each of the plurality of tunnels 120 associated with a group name by 
defining the remote ID of the server node 1 1 OA as the same particular group name. For 
example, referring to Figure 5, tunnel definition database 530 assigns the remote ID as 
a group name, e.g., VPNA. The remote ED type is a group. The local ID and local ID 
type is the ID and ID type of the server node 1 10A. 

In step 340, a particular tunnel 120 of the plurality of tunnels 120 associated with 
a member of a particular group is activated. The particular tunnel is activated through 
a protocol, Internet Key Exchange (IKE), that is used to establish security associations 
that are needed by various services, e.g., IPSec uses IKE to establish the security 
associations needed to generate and refresh its keys. 
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The VPN security policy typically describes the characteristics of the protection 
for a particular traffic profile. That is, the VPN security policy describes the protection 
of the flow of data between the plurality of nodes 1 10 establishing the tunnel 120 of the 
virtual private network. Furthermore, the VPN security policy describes how the traffic 
is to be protected, e.g., authentication, encryption, transforms, key lengths and lifetimes, 
etc. VPN policies can be defined per node 110 but can be implemented in a centralized 
directory to provide better scalability and management. Essentially both nodes 110 
establishing the tunnel need to have matching policies for the same traffic profile before 
such traffic can be allowed to flow between the nodes 110, i.e., communicating between 
the nodes 110. One node 1 1 0 may have a policy that is more granular or restrictive than 
the other node as long as both nodesl 10 agree on the same set of protection suites at any 
point in time. Typically the security policy is stored in a policy database which resides 
on disk, e.g., disk 220, of node 1 10. 

In one embodiment, the policy database in the server node 11 OA and in the 
plurality of client nodes, e.g., 1 10B-D, may be configured by a user entering a security 
policy through a GUI at each respective node 110. In another embodiment, the policy 
database in the server node 1 10A and in the plurality of client nodes, e.g., 1 10B-D, may 
be configured by a user entering a security policy through a command line interface at 
each respective node 110. In another embodiment, the policy database in the server node 
1 1 OA and in the plurality of client nodes, e.g., 1 10B-D, may be configured by a user 
entering a security policy through configuration files at each respective node 1 10. 

As stated above, IKE is used to establish security associations in order to activate 
a particular tunnel 120. IKE is made up of two phases defined within an Internet 
Security Association and Key Management Protocol (ISAKMP) framework. The 
ISAKMP framework establishes the security associations and cyrptographic keys. The 
first phase establishes the security associations between the plurality of nodes 110 
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establishing a particular tunnel. IKE assumes that no secure channel, i.e., tunnel, 
currently exists and therefore it must initially establish one to protect any ISAKMP 
messages. The second phase refers to the negotiation of the security association for 
Internet Protocol (IP) security. Upon the successful completion of the negotiation of the 
phase two security association, data may be transferred between the plurality of nodes 
110 establishing the tunnel 120. 



In one embodiment, an ISAKMP security association may be established between 
the nodes 1 10 of a particular tunnel 120, i.e., first phase of IKE, in the following manner 
through the exchange of six messages as illustrated in Figure 4. Figure 4 illustrates the 
flow of messages from the initiator node 1 10 to the responding node 1 10. The initiator 
node 1 10 is the node 1 10 that initiates sending messages or data in the tunnel 120. The 
responder node 1 10 is the node 1 10 that responds to the messages and data sent by the 
initiator node 110 across the tunnel 120. An example of a responder node 110 may be 
the server node 1 10A of Figure 1 . An example of an initiator node 1 10 may be any of 
the client nodes, e.g., nodes 1 10B-D of Figure 1 . In the first message, the initiator node 
110 transfers its security policy to the responding node 110. The responding node 110 
transfers its security policy to the initiator node 1 1 0 in the second message if the security 
policy of the responding nodel 10 matches the security policy of the initiator node 110. 
In another embodiment, the responding nodel 10 transfers its security policy to the 
initiator node 110 in the second message if both nodes 110 agree on the same set of 
protection suites in their security policy at any point in time. Additionally, cookies are 
generated to incorporate into the ISAKMP header in the first and second message. 
Cookies ensure protection against denial of service attacks and the pair of cookies (the 
initiator's cookie and responder's cookie) identify the ISAKMP security association. 

In the third message, the initiator node 110 transfers a nonce, i.e., random 
number, to the responder node 1 1 0 that is used to generate key material for the responder. 
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The responder node 1 1 0 transfers a nonce, i.e., random number, to the initiator node 1 1 0 
in the fourth message that is used to generate key material for the initiator. Since both 
the initiator and responder node 110 possess the same mathematical algorithm, the 
initiator and responder node 110 will have the same key material. All ISAKMP 
messages from this point are then encrypted. 

In the fifth message, the initiator node 1 1 0 transfers the ID of a particular member 
of a particular group name to the responder node 110 and through an authentication 
method, e.g. , preshared key, the initiator node 1 1 0 is authenticated. In the sixth message, 
the responder node 110 transfers an ID of the responder node 1 10 to the initiator node 
1 10 and through an authentication method, e.g., preshared key, the responder node 1 10 
is authenticated. For example, if a security association is being established for tunnel 
120 A, then client node, e.g., HOB, the initiator node, may transfer the ID of a particular 
member of a particular group name as the fifth message to the server node 1 10A. The 
server node 1 10A, the responder node, may then transfer the ID of the responder node 
in the sixth message to the client node, e.g., HOB. Subsequently, tunnel 120A is 
associated with the particular member of the particular group name. 

Upon completion of the first and second phase of IKE, the particular tunnel 120 
established by the tunnel definition database at each respective node, e.g., 110A and 
1 1 0B, associated with a particular member of a particular group is activated. That is, the 
particular member of the particular group associated with that tunnel 120 may use that 
tunnel 1 20. It is noted that the type of tunnel 1 20 established and activated using an IKE 
protocol as described above is commonly referred to as an IKE tunnel. 

In step 350, data is transferred across the IKE tunnel between the plurality of 
nodes establishing the IKE tunnel in a secure private connection. 
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Although the method, network system and computer program product of the 
present invention is described in connection with several embodiments, it is not intended 
to be limited to the specific forms set forth herein, but on the contrary, it is intended to 
cover such alternatives, modifications, and equivalents, as can be reasonably included 
within the spirit and scope of the invention as defined by the appended claims. It is noted 
that the headings are used only for organizational purposes and not meant to limit the 
scope of the description or claims. 
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CLAIMS: 

1 . A method for allowing a server node in a virtual private network to have a single 
tunnel definition and a single security policy for a plurality of tunnels associated with a 
group name comprising the steps of; 

configuring a group database in said server node, wherein said group database in 
said server node comprises said group name and a list of members associated with said 
group name; and 

configuring a rules database in said server node, wherein said rules database 
associates said group name with a particular security policy, wherein said server node has 
a single security policy for each of the plurality of tunnels associated with said group 
name. 

2. The method as recited in claim 1 further comprising the step of: 
configuring a tunnel definition database in said server node, wherein a remote ID 

in said tunnel definition is defined as said group name, wherein said server node has a 
single tunnel definition for each of the plurality of tunnels associated with said group 
name. 

3 . The method as recited in claim 2 further comprising the step of: 

activating a particular tunnel of said plurality of tunnels associated with said 
group name, wherein said particular tunnel is associated with a particular member of said 
group name. 

4. The method as recited in claim 3 further comprising the step of: 
transferring data across said particular tunnel. 
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5. The method as recited in claim 1, wherein said list of members associated with 
said group name comprise an ID type and an ID of each member associated with said 
group name, 

6. The method as recited in claim 5, wherein said ID type is an Internet Key 
Exchange (IKE) defined ID type, wherein said list of members is a non-contiguous list 
of IKE defined ID types. 

7. The method as recited in claim 5, wherein said ID is a login ID. 

8. The method as recited in claim 5, wherein said ID is a specified name. 

9. The method as recited in claim 2, wherein configuring said tunnel definition 
database in said server node comprises establishing said server node and a client node 
as the two end points of a particular tunnel. 

10. The method as recited in claim 9 ? wherein said tunnel definition database in said 
server node is configured by a user entering a local ID ? a local ED type, said remote ID 
and a remote ID type through a GUI. 

1 1 . The method as recited in claim 9, wherein said tunnel definition database in said 
server node is configured by a user entering a local ID, a local ID type, said remote ID 
and a remote ID type through a command line interface. 

12. The method as recited in claim 1 , wherein said group database in said server node 
comprises said group name and an ID type of each member of said group name and an 
ID of each member of said group name. 
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1 13. The method as recited in claim 12, wherein configuring said group database in 

2 said server node is accomplished by entering said group name, said ID type of each 

3 member of said group name and said ID of each member of said group name through a 

4 GUI. 

1 14. The method as recited in claim 12, wherein configuring said group database in 

2 said server node is accomplished by entering said group name, said ID type of each 

3 member of said group name and said ID of each member of said group name through a 

4 command line interface. 

1 15. The method as recited in claim 12, wherein configuring said group database in 

2 % !f said server node is accomplished by entering said group name, said ID type of each 

3 in member of said group name and said ID of each member of said group name through 

4 vi configuration files. 

1 f iJ 16. The method as recited in claim 1, wherein said rules database in said server node 

2 f j comprises said group name, a group name ID type and a security policy pointer. 

1 17. The method as recited in claim 1 6, wherein configuring said rules database in said 

2 q server node is accomplished by entering said group name, said group name ID type and 

3 said security policy pointer through a GUI. 

1 18. The method as recited in claim 1 6, wherein configuring said rules database in said 

2 server node is accomplished by entering said group name, said group name ED type and 

3 said security policy pointer through a command line interface. 

1 19. The method as recited in claim 3, wherein activating said particular tunnel 

2 comprises the steps of: 
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3 sending a security policy stored in a policy database of a client node by said client 

4 node to said server node; 

5 sending a security policy stored in a policy database of said server node by said 

6 server node to said client node if said security policy stored in said policy database of 

7 said server node matches said security policy stored in said policy database of said client 

8 node; 

9 sending a first nonce by said client node to said server node; 

10 sending a second nonce by said server node to said client node; 

1 1 sending a first ID by said client node to said server node; and 

12 sending a second ID by said server node to said client node. 

1 *I 20. The method as recited in claim 1 9, wherein said first and second nonce are used 

2 to generate key material for said server and client node, respectively. 

1 1 u 2L The method as recited in claim 1 9, wherein said policy database in said client and 

2 1 y server node are configured by entering said security policy through a GUI at said client 

3 Q and server node. 

1 Ji? 22. The method as recited in claim 1 9, wherein said policy database in said client and 

2 C3 server node are configured by entering said security policy through a command line 

3 interface at said client and server node. 

1 23 . The method as recited in claim 1 9, wherein said first ID is an ID of said particular 

2 member of said group name. 

1 24. The method as recited in claim 3, wherein activating said particular tunnel 

2 comprises the steps of: 
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sending a security policy stored in a policy database of a client node by said client 
node to said server node; 

sending a security policy stored in a policy database of said server node by said 
server node to said client node if said security policy stored in said policy database of 
said server node agrees on the same set of protection suites at any point in time with said 
security policy stored in said policy database of said client node; 

sending a first nonce by said client node to said server node; 

sending a second nonce by said server node to said client node; 

sending a first ID by said client node to said server node; and 

sending a second ID by said server node to said client node. 
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25 . A network system comprising: 

a plurality of tunnels associated with a group name, wherein each of said plurality 
of tunnels associated with said group name comprises a plurality of nodes, wherein each 
of said plurality of nodes comprises a communication adapter to interconnect with said 
virtual private network, wherein one of said plurality of nodes is a server node, wherein 
one of said plurality of nodes is a client node, wherein said server node comprises: 

a group database, wherein said group database comprises said group name 
and a list of members associated with said group name; and 

a rules database, wherein said rules database associates said group name 
with a particular security policy, wherein said server node has a single security policy for 
each of the plurality of tunnels associated with said group name. 

26. The network system as recited in claim 25, wherein said server node further 
comprises: 

a tunnel definition database, wherein a remote ID in said tunnel definition is 
defined as said group name, wherein said server node has a single tunnel definition for 
each of the plurality of tunnels associated with said group name. 

27. The network system as recited in claim 26, wherein a particular tunnel of said 
plurality of tunnels associated with said group name is activated, wherein said particular 
tunnel is associated with a particular member of said group name. 

28. The network system as recited in claim 25, wherein said list of members 
associated with said group name comprise an ID type and an ID of each member 
associated with said group name. 
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29. The network system as recited in claim 28, wherein said ID type is an Internet 
Key Exchange (IKE) defined ID type, wherein said list of members is a non-contiguous 
list of IKE defined ID types. 

30. The network system as recited in claim 28, wherein said ID is a login ID. 

3 1 . The network system as recited in claim 28, wherein said ID is a specified name. 

32. The network system as recited in claim 26, wherein said tunnel definition 
database in said server node is configured by a user entering a local ED, a local ID type, 
said remote ID and a remote ID type through a GUI. 

33. The network system as recited in claim 26, wherein said tunnel definition 
database in said server node is configured by a user entering a local ID, a local ED type, 
said remote ID and a remote ED type through a command line interface. 

34. The network system as recited in claim 25, wherein said group database in said 
server node comprises said group name and an ID type of each member of said group 
name and an ED of each member of said group name. 

35. The network system as recited in claim 34, wherein said group database in said 
server node is configured by a user entering said group name, said ED type of each 
member of said group name and said ID of each member of said group name through a 
GUI 

36. The network system as recited in claim 34, wherein said group database in said 
server node is configured by a user entering said group name, said ID type of each 



-23- 



AUS9 



'-2000-0479-US 1 PATENT 

member of said group name and said ID of each member of said group name through a 
command line interface. 



37. The network system as recited in claim 34, wherein said group database in said 
server node is configured by a user entering said group name, said ID type of each 
member of said group name and said ED of each member of said group name through 
configuration files. 

38. The network system as recited in claim 25, wherein said rules database in said 
server node comprises said group name, a group name ID type and a security policy 
pointer. 

39. The network system as recited in claim 38, wherein said rules database is 
configured by a user entering said group name, said group name ID type and said security 
policy pointer through a GUI. 

40. The network system as recited in claim 39, wherein said rules database is 
configured by a user entering said group name, said group name ID type and said security 
policy pointer through a command line interface. 

41. The network system as recited in claim 27, wherein activating said particular 
tunnel comprises the steps of: 

sending a security policy stored in a policy database of said client node by said 
client node to said server node; 

sending a security policy stored in a policy database of said server node by said 
server node to said client node if said security policy stored in said policy database of 
said server node matches said security policy stored in said policy database of said client 
node; 
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sending a first nonce by said client node to said server node; 
sending a second nonce by said server node to said client node; 
sending a first ID by said client node to said server node; and 
sending a second ID by said server node to said client node. 

42. The network system as recited in claim 41, wherein said first and second nonce 
are used to generate key material for said server and client node, respectively. 

43. The network system as recited in claim 41, wherein said policy database in said 
client and server node are configured by entering said security policy through a GUI at 
said client and server node. 

44. The network system as recited in claim 41, wherein said policy database in said 
client and server node are configured by entering said security policy through a command 
line interface at said client and server node. 

45. The network system as recited in claim 41, wherein said first ID is an ID of said 
particular member of said group name. 

46. The network system as recited in claim 27, wherein activating said particular 
tunnel comprises the steps of: 

sending a security policy stored in a policy database of said client node by said 
client node to said server node; 

sending a security policy stored in a policy database of said server node by said 
server node to said client node if said security policy stored in said policy database of 
said server node agrees on the same set of protection suites at any point in time with said 
security policy stored in said policy database of said client node; 

sending a first nonce by said client node to said server node; 
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1 0 sending a second nonce by said server node to said client node; 

1 1 sending a first ID by said client node to said server node; and 

12 sending a second ID by said server node to said client node. 
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1 47. A computer program product having a computer readable medium having 

2 computer program logic recorded thereon for allowing a server node in a virtual private 

3 network to have a single tunnel definition and a single security policy for a plurality of 

4 tunnels associated with a group name, comprising: 

5 programming operable for configuring a group database in said server node, 

6 wherein said group database in said server node comprises said group name and a list of 

7 members associated with said group name; and 

8 programming operable for configuring a rules database in said server node, 

9 wherein said rules database associates said group name with a particular security policy, 

10 wherein said server node has a single security policy for each of the plurality of tunnels 

11 associated with said group name. 

1 '"--d 48. The computer program product as recited in claim 47 further comprises: 

2 programming operable for configuring a tunnel definition database in said server 

3 ^ node, wherein a remote ID in said tunnel definition is defined as said group name, 

4 I J wherein said server node has a single tunnel definition for each of the plurality of tunnels 

5 ;Z associated with said group name. 

1 O 49. The computer program product as recited in claim 48 further comprises: 

2 programming operable for activating a particular tunnel of said plurality of 

3 tunnels associated with said group name, wherein said particular tunnel is associated with 

4 a particular member of said group name. 

1 50. The computer program product as recited in claim 49 further comprises: 

2 programming operable for transferring data across said particular tunnel. 
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51. The computer program product as recited in claim 47, wherein said list of 
members associated with said group name comprise an ID type and an ID of each 
member associated with said group name. 

52. The computer program product as recited in claim 5 1 , wherein said ID type is an 
Internet Key Exchange (IKE) defined ID type, wherein said list of members is a 
non-contiguous list of IKE defined ID types. 

53 . The computer program product as recited in claim 5 1 , wherein said ID is a login 
ID. 

54. The computer program product as recited in claim 51, wherein said ID is a 
specified name. 

55. The computer program product as recited in claim 48, wherein configuring said 
tunnel definition database in said server node comprises establishing said server node and 
a client node as the two end points of a particular tunnel. 

56. The computer program product as recited in claim 55, wherein said tunnel 
definition database in said server node is configured by a user entering a local ID, a local 
ID type, said remote ED and a remote ID type through a GUI. 

57. The computer program product as recited in claim 55, wherein said tunnel 
definition database in said server node is configured by a user entering a local ID, a local 
ID type, said remote ID and a remote ID type through a command line interface. 
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1 58. The computer program product as recited in claim 47, wherein said group 

2 database in said server node comprises said group name and an ID type of each member 

3 of said group name and an ID of each member of said group name. 

1 59. The computer program product as recited in claim 58, wherein configuring said 

2 group database in said server node is accomplished by entering said group name, said ID 

3 type of each member of said group name and said ID of each member of said group name 

4 through a GUI 

1 60. The computer program product as recited in claim 58, wherein configuring said 

2 group database in said server node is accomplished by entering said group name, said ID 

3 *!? type of each member of said group name and said ID of each member of said group name 

4 |n through a command line interface. 

1 I7i 61 . The computer program product as recited in claim 58, wherein configuring said 

2 rii group database in said server node is accomplished by entering said group name, said ID 

3 p type of each member of said group name and said ID of each member of said group name 

4 ;i : through configuration files. 

1 C3 62 * The computer program product as recited in claim 47, wherein said rules database 

2 in said server node comprises said group name, a group name ID type and a security 

3 policy pointer. 

1 63 . The computer program product as recited in claim 62, wherein configuring said 

2 rules database in said server node is accomplished by entering said group name, said 

3 group name ID type and said security policy pointer through a GUI. 
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1 64. The computer program product as recited in claim 62, wherein configuring said 

2 rules database in said server node is accomplished by entering said group name, said 

3 group name ED type and said security policy pointer through a command line interface. 

1 65. The computer program product as recited in claim 49, wherein activating said 

2 particular tunnel comprises the steps of: 

3 sending a security policy stored in a policy database of a client node by said client 

4 node to said server node; 

5 sending a security policy stored in a policy database of said server node by said 

6 server node to said client node if said security policy stored in said policy database of 

7 said server node matches said security policy stored in said policy database of said client 

8 1% node; 

9 sending a first nonce by said client node to said server node; 

10 s| sending a second nonce by said server node to said client node; 

1 1 f \i sending a first ED by said client node to said server node; and 

12 s y sending a second ID by said server node to said client node. 

1 □ . 66. The computer program product as recited in claim 65, wherein said first and 

2 ^ second nonce are used to generate key material for said server and client node, 

3 p respectively. 

1 67. The computer program product as recited in claim 65, wherein said policy 

2 database in said client and server node are configured by entering said security policy 

3 through a GUI at said client and server node. 

1 68. The computer program product as recited in claim 65, wherein said policy 

2 database in said client and server node are configured by entering said security policy 

3 through a command line interface at said client and server node. 
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69. The computer program product as recited in claim 65, wherein said first ID is an 
ID of said particular member of said group name. 

70. The computer program product as recited in claim 49 ? wherein activating said 
particular tunnel comprises the steps of: 

sending a security policy stored in a policy database of a client node by said client 
node to said server node; 

sending a security policy stored in a policy database of said server node by said 
server node to said client node if said security policy stored in said policy database of 
said server node agrees on the same set of protection suites at any point in time with said 
security policy stored in said policy database of said client node; 

sending a first nonce by said client node to said server node; 

sending a second nonce by said server node to said client node; 

sending a first ID by said client node to said server node; and 

sending a second ID by said server node to said client node. 
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VIRTUAL PRIVATE NETWORK WITH MULTIPLE TUNNELS 
ASSOCIATED WITH ONE GROUP NAME 
ABSTRACT OF THE INVENTION 



A method, network system and computer program product for establishing a 
server node in a virtual private network with a single tunnel definition and a single 
security policy for a plurality of tunnels associated with a group name. In one 
embodiment, a method comprises the step of configuring a group database in the server 
node. The group database in the server node comprises the group name and a list of 
members associated with the group name. The method further comprises configuring a 
rules database in the server node. The rules database associates the group name with a 
particular security policy. The method further comprises configuring a tunnel definition 
database in the server node. In the tunnel definition database, the remote ID is defined 
as the group name. In another embodiment of the present invention, the list of members 
associated with the group name comprises a non-contiguous list of ID types. In another 
embodiment of the present invention, the members associated with the group name are 
identified by any specified name. 
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Figure 3 



Configuring a group database in a server node, where thej 
group database comprises a group name and a list of 
members associated with the group name 



Configuring a rules database in the server node, where the 
rules database associates the group name with a particular 
security policy, where the server node has the same security 
policy for each of the plurality of tunnels associated with the 
group name 



Configuring a tunnel definition database in the server nodq 
where a remote ID in the tunnel definition is defined as the 

group name, where the server node has the same tunnel 
definition for each of the plurality of tunnels associated with 
the group name 



Activating a particular tunnel of the plurality of tunnels 
associated with the group name, where the particular tunnel 
is associated with a particular member of the group name 



Transferring data across the particular tunnel 
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As a below named inventor, I hereby declare that: 

My residence, post office address and citizenship are as stated below next to my 

name; 

I believe I am the original, first and sole inventor (if only one name is listed 
below) or an original, first and joint inventor (if plural names are listed below) of the 
subject matter which is claimed and for which a patent is sought on the invention entitled 

VIRTUAL PRIVATE NETWORK WITH MULTIPLE TUNNELS 
ASSOCIATED WITH ONE GROUP NAME 

the specification of which (check one) 

is is attached hereto. 

□ was filed on 

as Application Serial No. 

and was amended on 



I hereby state that I have reviewed and understand the contents of the above identified 
specification, including the claims, as amended by any amendment referred to above. 

I acknowledge the duty to disclose information which is material to the patentability of 
this application in accordance with Title 37, Code of Federal Regulations, §1.56. 

I hereby claim foreign priority benefits under Title 35, United States Code, §119 of any 
foreign application(s) for patent or inventor's certificate listed below and have also 
identified below any foreign application for patent or inventor's certificate having a filing 
date before that of the application on which priority is claimed: 

Prior Foreign Application(s) : Priority Claimed 

— □ Yes □ No 

(Number) (Country) (Day/Month/Year) 
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I hereby claim the benefit under Title 35, United States Code, §120 of any United States 
application(s) listed below and, insofar as the subject matter of each of the claims of this 
application is not disclosed in the prior United States application in the manner provided 
by the first paragraph of Title 35, United States Code, §112, 1 acknowledge the duty to 
disclose information material to the patentability of this application as defined in Title 
37, Code of Federal Regulations, §1.56 which occurred between the filing date of the 
prior application and the national or PCT international filing date of this application: 



(Application Serial #) (Filing Date) (Status) 

I hereby declare that all statements made herein of my own knowledge are true and that 
all statements made on information and belief are believed to be true; and further that 
these statements were made with the knowledge that willful false statements and the like 
so made are punishable by fine or imprisonment, or both, under Section 1001 of Title 18 
of the United States Code and that such willful false statements may jeopardize the 
validity of the application or any patent issued thereon. 

POWER OF ATTORNEY: As a named inventor, I hereby appoint the following 
attorneys and/or agents to prosecute this application and transact all business in the Patent 
and Trademark Office connected therewith. 

John W. Henderson, Jr., Reg. No. 26,907; James H. Barksdale, Jr., Reg. No. 24,091; 
Thomas E. Tyson, Reg. No. 28,543; Robert M. Carwell, Reg. No. 28,499; Jeffrey S. 
LaBaw, Reg. No. 31,633; Douglas H. Lefeve, Reg. No. 26,193; Casimer K. Salys, Reg. 
No. 28,900; David A. Mims, Jr., Reg. No. 32,708; Mark E. McBurney, Reg. No. 33,1 14; 
Anthony V. S. England, Reg. No. 35,129; VolelEmile, Reg. No. 39 ? 969; Christopher A. 
Hughes, Reg. No. 26,914; Edward A. Pennington, Reg. No. 32,588; JohnE. Hoel, Reg. 
No. 26 ? 279; Joseph C. Redmond, Jr., Reg. No. 18,753; Leslie A. VanLeeuwen, Reg. No. 
42,196; Marilyn S. Dawkins, Reg. No. 31,140; Kelly K. Kordzik, Reg. No. 36,571; Barry 
S. Newberger, Reg. No. 41,527; and Robert A. Voigt, Jr., Reg. No. P47,159. 

Send correspondence to: Kelly K. Kordzik, 100 Congress Avenue, Suite 800, Austin, 
Texas 78701, and direct all telephone calls to Kelly K. Kordzik at (512) 370-2851. 
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LaBaw, Reg. No. 31,633; Douglas H, Lefeve, Reg. No. 26,193; Casimer K. Salys, Reg. 
No. 28,900; David A Mims, Jr., Reg. No. 32,708; Mark E. McBurney, Reg. No. 33,1 14; 
Anthony V. S. England, Reg. No. 35,129; Volel Emile, Reg. No. 39,969; Christopher A. 
Hughes, Reg. No. 26,914; Edward A. Pennington, Reg. No. 32,588; JohnE. Hoel, Reg. 
No. 26,279; Joseph C. Redmond, Jr., Reg. No. 18,753; Leslie A Van Leeuwen, Reg. No. 
42,196; Marilyn S. Dawkins, Reg. No. 31,140; Kelly K. Kordzik, Reg. No. 36,571; Barry 
S. Newberger, Reg. No. 41,527; and Robert A Voigt, Jr., Reg. No. P47.159. 

Send correspondence to: Kelly K. Kordzik, 100 Congress Avenue, Suite 800, Austin, 
Texas 78701, and direct all telephone calls to Kelly K. Kordzik at (512) 370-285 1 . 
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INVENTOR'S SIGN. 



FULL NAME OF FIRST^OR- 




RESIDENCE: 3103 High Ridge Road " 

Yorktown Heights, Westchester County, New York 10598 

CITIZENSHIP: TAIWAN (R.O.C.) 

POST OFFICE ADDRESS: (Same as Residence) 

FULL NAME OF SECOND INVENTOR AJTT CLARENCE D'SA 

INVENTOR'S SIGNATURE: DATE: 

RESIDENCE: 5 6 07 B Highland Cm t Drive 

Austin, Travis County, Texas 78731 

CITIZENSHIP: U.S.A. 

POST OFFICE ADDRESS: (Same as Residence) 

FULL NAME OF THIRD INVENTOR JIAN HUA FENG 

INVENTOR'S SIGNATURE: DATE: 

RESIDENCE: 12113 Metric Boulevard 
Apartment 1011 

Austin, Travis County, Texas 78758 

CITIZENSHIP: CHINA 

POST OFFICE ADDRESS: (Same as Residence) 
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FULL NAME OF FOURTH INVENTOR: DENISE MARIE GENTY 

INVENTOR'S SIGNATURE: DATE: 

RESIDENCE: 16507 Denise Drive 

Austin, Travis County, Texas 78717 

CITIZENSHIP: U.S.A. 

POST OFFICE ADDRESS: (Same as Residence) 

FULL NAME OF SECOND INVENTOR: JACQUELINE HEGEDUS WILSON 

INVENTOR'S SIGNATURE: DATE: 

RESIDENCE: 9504 Bell Mountain Drive 

Austin, Travis County, Texas 78730 

CITIZENSHIP: U.S.A. 

POST OFFICE ADDRESS: (Same as Residence) 

:S3DMA\PCDOCS\AU?nN.lU4727J\J 
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